Wednesday, February 27, 2013

The Worst Article You Might Ever Read About 'Cybersecurity'

from the this-one's-special dept

There
has been a lot of discussion lately about "cybersecurity" "cyberwar"
"cyberattacks" and all sorts of related subjects which really really
(really!) could do without the outdated and undeniably lame "cyber-" prefix. This is, in large part, due to the return of CISPA along with the White House's cybersecurity executive order.
Of course, the unfortunate part is that we're still dealing in a
massive amount of hype about the "threats" these initiatives are trying
to face. They're always couched in vague and scary terms, like
something out of a movie. There are rarely any specifics, and the few
times there are, there is no indication how things like CISPA would actually help. The formula is straightforward: fear + handwaving = "we must have a law!"

However, I think we may now have come across what I believe may top the list of the
worst articles ever written about cybersecurity. If it's not at the
top, it's close. It is by lawyer Michael Volkov, and kicks off with a
title that shows us that Volkov is fully on board with new laws and
ramping up the FUD: The Storm Has Arrived: Cybersecurity, Risks And Response.
As with many of these types of articles, I went searching for the
evidence of these risks, but came away, instead, scratching my head,
wondering if Volkov actually understands this subject at all, with his
confused thinking culminating in an amazing paragraph so full of wrong that almost makes me wonder if the whole thing is a parody.

The piece starts off, though, by playing up those supposed "risks,"
discussing how companies face "economic devastation" due to the "theft
of valuable trade secrets." Here's an exercise: name one such company
that has been so devastated. We'll wait. Then he talks about how these
hacks could lead to "disclosure of consumer and employee information."
Of course, he seems to be mixing and matching the types of hacks he's
talking about. The "trade secret" stuff is generally corporate
espionage, whereas the leaking of data tends to just be more general
malicious hacking. Very different issues that probably require very
different responses. But they're lumped together here.

So we've got an ill-defined problem, but have no fear, because the answer is here: Congress!

At the core of the problem is Congress’ failure to act. For years now,
Congress has tried to enact meaningful cybersecurity legislation.

Any analysis of whether or not the attempts at "meaningful cybersecurity
legislation" would have any impact at all on the kinds of attacks
discussed in the first paragraph? Why, no. Because that would be
useful. But that's okay, because Congress needs to act!

The risks are too large and the consequences of failing to act can result in serious economic consequences.

Again, can someone point to any evidence of cybersecurity issues having
"serious economic consequences" to date? Yes, it's possible they might
in the future, but let's put these things in perspective.

And then we get to this. I warn you ahead of time: reading the
following paragraph may cause certain knowledgeable brains to experience
something akin to spasms.

Recent cyber-attacks have illustrated the ability of terrorist groups
and foreign governments to cause havoc on the Internet. The United
States Sentencing Commission’s website was destroyed when activists
attacked the site to protect the federal prosecution of Bart Swartz
which eventually led to Mr. Swartz committing suicide. For years, the
Chinese government has launched massive daily attacks against our
government and private industry which are aimed at disrupting government
operations, stealing trade secrets and undermining economic activity.

Let's break this down. Bit by awful bit.

Recent cyber-attacks have illustrated the ability of terrorist groups and foreign governments to cause havoc on the Internet.

Where and how? So far, the only example of any government causing any
sort of "havoc" appears to have been the US with Israel with their
attacks on Iran via Stuxnet, Flame and possibly some other very targeted
malware attacks. What "terrorist groups" or "foreign governments" have
actually caused any actual "havoc on the Internet"? The answer is
none. It's certainly not what comes next:

The United States Sentencing Commission’s website was destroyed when
activists attacked the site to protect the federal prosecution of Bart
Swartz which eventually led to Mr. Swartz committing suicide.

Yeah. Okay. (1) The United States Sentencing Commission's website was temporarily
hacked (and later taken down). It was not "destroyed" in any sense of
the word. (2) Activists are neither the "terrorists" nor "foreign
governments" we were promised in the preceding sentence. (3) Taking
down the site briefly did not cause "havoc." (4) BART Swartz??!??!? (5) The hack was to protest the federal prosecution of Aaron Swartz, not to "protect"
it. (6) While many of Swartz's friends and families do say that the
prosecution likely led to his suicide, no one can say for sure. (7)
Nothing about the hack by Anonymous had anything to do with
"cybersecurity" nor would CISPA have protected the Commission's website
(better programming might have). Basically, this sentence is just about
as wrong as it could possibly be, and has nothing to do with what the
article is about, other than drumming up fears about "cybersecurity."

For years, the Chinese government has launched massive daily attacks
against our government and private industry which are aimed at
disrupting government operations, stealing trade secrets and undermining
economic activity.

There's been plenty of talk about these Chinese hacks, which definitely
do appear to be happening. But, what economic activity has been
undermined? So far, the hacks may have been a nuisance, but it's
unclear that they've done any real damage. It is also unclear how CISPA
helps stop such hacks, other than making Congress feel like it's "done
something."

Are there issues with online security that need to be taken seriously?
Yes, absolutely. Do we need legislation to deal with those problems?
That's debatable, and we're still waiting for some evidence not just of
scary sounding threats, but that this kind of legislation will actually
help. Unfortunately, this article keeps us waiting. But, it did make
us laugh. Unintentionally (we think).